Risky Bulletin: Contactless payment card relay fraud booms in Russia

Summary

Risky Bulletin: Contactless Payment Card Relay Fraud Booms in Russia
Hosted by risky.biz | Released on January 23, 2025

Introduction
In this episode of Risky Bulletin, host Claire Aird delves into the latest cybersecurity threats and developments shaping the digital landscape. From a surge in contactless payment fraud in Russia to groundbreaking vulnerabilities in widely-used technologies, the bulletin provides an in-depth analysis of current cyber risks and protective measures.

1. Surge in Contactless Payment Card Relay Fraud in Russia
Timestamp: [00:04]

Russian citizens have reportedly lost over 40 million rubles (approximately US$400,000) due to a significant increase in contactless payment card relay fraud. According to the Russian security firm FACT, there have been more than 400 NFC relay attacks within the past two months alone. This alarming trend follows the initial appearance of NFC relay attacks in Chechnya in late 2023.

The attack mechanism involves deceiving users into downloading a malicious Android application that incorporates a modified version of NFCgate, an open-source tool originally designed for academic research. This malicious app prompts users to scan their payment cards and enter PIN codes, which are then intercepted and used to withdraw funds from ATMs in real-time or tokenized for future online transactions.

Claire Aird notes, “FACT says it's seeing increased chatter in criminal forums about the technique, along with plans to create a malware-as-a-service platform to automate future attacks” [00:45]. The scalability of these attacks poses a growing threat to both individual users and financial institutions across Russia.

2. Russian Internet Watchdog Demands Real Names from Social Media Influencers
Timestamp: [02:10]

Russia's Internet watchdog, ROSCOM Nadzor, has intensified its efforts to regulate social media by requiring popular accounts with over 10,000 subscribers to register their real names with the agency by the beginning of the year. Failure to comply has resulted in these accounts being barred from monetizing their channels through advertisements.

This directive impacts a broad range of online personalities, including bloggers, Telegram channel operators, and other social media influencers. Claire Aird highlights, “The provision covers online bloggers, Telegram channels, and social media accounts, aiming to tighten government oversight over digital content creators” [03:05].

3. Cyber Attack Disrupts Operations at Government Contractor Conduent
Timestamp: [04:30]

Government technology contractor Conduent experienced a debilitating cyber attack earlier this year, which disrupted its systems and affected services in states like Oklahoma and Wisconsin. Conduent manages critical state systems, including Medicaid, child support, and food assistance programs.

The restoration process has been ongoing, with Conduent working diligently to mitigate the impact and enhance its cybersecurity defenses to prevent future incidents.

4. Appeals Court Vacates Sentence of Pompompurin from Breach Forums
Timestamp: [06:15]

An appeals court has vacated the sentence of Brian Connor Fitzpatrick, known online as Pompompurin, the administrator of the cybercrime platform Breach Forums. Initially sentenced to time served and 20 years of supervised release, the court deemed the sentence inadequate, prompting a resentencing in a lower court.

DOJ prosecutors argue that the judge "abused her discretion in handing down a sentence far less than the 15-year minimum the initial charges required" [07:00], citing the severity of Pompompurin's involvement in facilitating cybercrime activities through Breach Forums.

5. Chinese APT Group Compromises South Korean VPN Provider IP Any
Timestamp: [08:40]

A sophisticated Chinese Advanced Persistent Threat (APT) group has successfully infiltrated the South Korean VPN provider IP Any. They replaced the legitimate VPN installer with malware, active from November 2023 to May 2024, infecting users who downloaded the compromised client with a backdoor named Slow Stepper.

Additionally, Eset reports that the group has hijacked legitimate updates for certain Chinese applications, expanding their malicious activities beyond VPN services.

6. Emergence of 'JMagic' Malware Targeting Juniper Enterprise Routers and VPN Gateways
Timestamp: [10:25]

JMagic, a newly identified advanced malware, has been detected on Juniper enterprise routers and VPN gateways since September 2023. According to Lumen, the malware employs a series of magic packets and a certificate-based challenge to gain control over compromised devices. To date, there is no attribution linking JMagic to any known threat actors.

Claire Aird emphasizes, “JMagic uses a series of magic packets and a certificate-based challenge before allowing attackers to compromise the devices” [11:00], highlighting the complexity and stealth of this threat.

7. SonicWall Addresses Critical Zero-Day Vulnerability in SMA 1000 Security Gateways
Timestamp: [12:50]

SonicWall has issued a patch for an actively exploited zero-day vulnerability in its SMA 1000 security gateways. The vulnerability, rated 9.8 out of 10 in severity, is a pre-authentication deserialization attack that allows execution of malicious commands on affected devices.

With over 2,300 SonicWall SMA appliances exposed on the internet, the urgency for administrators to apply the patch is paramount to prevent potential exploits.

8. PortSwigger Introduces the 'Cookie Sandwich' Attack Technique
Timestamp: [14:30]

PortSwigger has unveiled a novel attack method termed the Cookie Sandwich. This technique exploits how web servers handle cookies containing special characters, allowing malicious client-side scripts to access and exfiltrate cookie data. The attack effectively bypasses the HTTP-only flag, which is designed to prevent scripts from interacting with cookies.

"The Cookie Sandwich technique manipulates cookie parsing to expose sensitive information that should remain secure," explains Claire Aird [15:10]. This advancement underscores the evolving sophistication of web-based attacks.

9. Cache Poisoning Vulnerability Discovered in Next.js Framework
Timestamp: [16:05]

Security researcher Alam Rashid has identified a cache poisoning attack within the popular JavaScript framework Next.js. This vulnerability allows attackers to execute cross-site scripting (XSS) attacks on web applications built with Next.js, impacting sectors such as cryptocurrency, e-commerce, and financial technology.

Rashid successfully earned a six-figure bounty by reporting the issue to multiple bug bounty programs before its patch in October of the previous year.

10. Vulnerability in Subaru's Starlink In-Car Technology
Timestamp: [17:50]

Two security researchers have uncovered a critical vulnerability in Subaru's Starlink in-car technology. The flaw permits remote actors to start or stop the vehicle, lock or unlock doors, and access the car's location data. Exploiting this vulnerability required minimal personal information, such as an email address, phone number, or license plate number.

While Subaru has confirmed that there is no evidence of the vulnerability being exploited in the wild, the company has since patched the issue to enhance vehicle security.

11. UK Government Launches Digital Identity Documents and Wallet App
Timestamp: [19:30]

The UK government is set to roll out digital identity documents, including digital driver's licenses and veteran cards, later this year. Alongside these documents, a digital wallet app will be introduced, allowing users to securely store and present their identification for online and in-person verification purposes.

This initiative aims to streamline identity verification processes and bolster security in digital transactions.

12. Google's New Android Security Feature Enhances Data Protection
Timestamp: [21:15]

Google has announced a cutting-edge security feature for Android devices that prompts users for biometric authentication when their phone moves away from a trusted location. This prompt is activated when accessing sensitive areas such as phone settings and account data.

According to Google, the feature is designed to "protect the user's data in the case of a device's theft," adding an additional layer of security beyond traditional passcodes and fingerprint recognition.

13. LinkedIn Premium Users Sue Microsoft Over AI Data Usage
Timestamp: [23:00]

A group of LinkedIn Premium users has initiated a lawsuit against Microsoft, alleging that the company used their private messages to train its AI models without proper consent. The plaintiffs claim that Microsoft failed to notify users or provide an option to opt out of data usage for AI training purposes.

Furthermore, users assert that when Microsoft’s actions were exposed, the company subtly altered its privacy policy to rationalize the unauthorized data utilization.

Conclusion
This episode of Risky Bulletin underscores the dynamic and multifaceted nature of cybersecurity threats in 2025. From sophisticated fraud schemes and regulatory changes to groundbreaking vulnerabilities and legal battles over data privacy, the bulletin highlights the critical need for continuous vigilance and adaptive security strategies. Stay informed and proactive to navigate the evolving cyber threat landscape effectively.

Prepared by Catalyn Kim and Panu, read by Claire Aird.